[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Restricted users can able to browse secure sites at restricted time

Posted on 2008-11-11
8
Medium Priority
?
729 Views
Last Modified: 2013-12-16
We have configured squid proxy server 2.6 STABLE in Fedora 6 box. We have given full time net access for particular users only. Remaining users will access the net at particular time only. But for skype access we have given access for all users. This is our code for skype access.

 acl Safe_ports port 80 # http
 acl Safe_ports port 21 # ftp
 acl Safe_ports port 443 563 # https, snews
 acl Safe_ports port 70 # gopher
 acl Safe_ports port 210 # wais
 acl Safe_ports port 1025-65535 # unregistered ports
 acl Unreg_ports port 1025-65535 # unregistered ports

 acl Safe_ports port 280 # http-mgmt
 acl Safe_ports port 488 # gss-http
 acl Safe_ports port 591 # filemaker
 acl Safe_ports port 777 # multiling http

 acl udpproto proto UDP

 http_access allow udpproto Safe_ports

For all users skype is working fine. The limited (limited net access users) time users can able access some secure sites like gmail,hotmail & many banking sites. I want to allow only skype access not secure websites for limited users at restricted time.
0
Comment
Question by:rajasekarramasamy
  • 3
  • 3
  • 2
8 Comments
 
LVL 29

Expert Comment

by:Michael Worsham
ID: 22947064
Perhaps this thread can shed some light...

Multiple ACL time restrictions
http://www.squid-cache.org/mail-archive/squid-users/200105/0870.html
0
 

Author Comment

by:rajasekarramasamy
ID: 22947197
Hi mwecomputers,

I dont need solution for ACL Time restriction.

FYI

In our setup we have enabled skype access for the user having limited (Time restriction) net access.

For skype access via squid we need to allow https port 443 to connect skype via squid. If we enable this secure port the restricted users (Time restricted) can able to access secure sites during restricted time.

0
 
LVL 29

Expert Comment

by:Michael Worsham
ID: 22948899
I don't know if squid can accomplish what you are asking for... however...

An easy solution would be setting up an Untangle application server between your router and your internal network in transparent bridge mode. The Untangle appliance has a Web Content Control module that filters user access to specific Internet websites including setting time and user based policies (e.g. allow gmail access during lunch and outside business hours). The Web Content Control also enables you to choose among these categories to define web content control policies in your workplace. It can use custom URL blocklists for hosts, domains, and file types to block/filter additional content.

Untangle Site:
http://www.untangle.com/

Untangle Product Overview:
http://www.untangle.com/index.php?option=com_content&task=view&id=86&Itemid=179

Untangle Demo/Video Overview
http://www.untangle.com/video_overview/
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 

Author Comment

by:rajasekarramasamy
ID: 22973447
I need a solution in squid only.
0
 
LVL 2

Expert Comment

by:dennisonz
ID: 23012181

have you tried:

acl https_sites dst_domain "/etc/squid/https_sites"
http_access deny https_sites

the "/etc/squid/https_sites" contains:
.gmail
.hotmail.
."banking sites"



0
 

Author Comment

by:rajasekarramasamy
ID: 23012234
I tried with the your settings the users can able to browse. The problem is for skype i enable 443 (https) ports for all users (full time net users & limited net time users). The limited net time users can able to browse https (able to bowse only https sites) sites at restricted-browsing hours. This the problem i am facing. skype using only 443 ports to connect. is there any way to connect skype via squid without using 443 (https) port.

This is my config for skype connection in squid.

 acl Safe_ports port 443
 acl udpproto proto UDP
 http_access allow udpproto Safe_ports


Any solution?. It very urgent.
0
 
LVL 2

Expert Comment

by:dennisonz
ID: 23012256

With the settings in my previous post, it would also block:

http://www.gmail.com
https://www.gmail.com

This is my settings in Squid and its working fine. Place this one after your config for skype connection.
0
 
LVL 2

Accepted Solution

by:
dennisonz earned 1500 total points
ID: 23012289

Haven't tried this yet but its worth to try, to try to have skype use a different Port no instead of 443. Then remove 443 in your Safe_ports

Like for example:
 acl Safe_ports port 80 # http
 acl Safe_ports port 21 # ftp
 acl Safe_ports port 444 # skype
 acl Safe_ports port 70 # gopher
 acl Safe_ports port 210 # wais
 acl Safe_ports port 1025-65535 # unregistered ports
 acl Unreg_ports port 1025-65535 # unregistered ports

 acl Safe_ports port 444
 acl udpproto proto UDP
 http_access allow udpproto Safe_ports

0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Fine Tune your automatic Updates for Ubuntu / Debian
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses
Course of the Month19 days, 3 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question